How to find what policies clients or servers get using SCCM or Powershell

How to find what policies the clients or servers get using SCCM or Powershell.
One of my challenges I had over my IT career in group policy is that we definitely creating dozens of GPO’s and applying it on servers and clients straightforwardly and knowing that those domain members objects will get the GPO within next 15 minutes.

However, in some situations, we would like to know who got certain group policy right now, we don’t know to share the exact number and we’re relying on that the computers or users will get the GPO sometime because they are members of, or part of X OU.

This situation put us on spot and on inconvenience state, therefore in this article I am going to share several ways that will help you to see the exact numbers that your clients getting policies.

The purpose is the see how many clients get certain GPO, or in other words, find all computers that get certain GPO.

There are 3 main options we can get this crucial information:

SCCM, Powershell, gpinventory

Let’s start with SCCM – Options 1:

We are going to add Group Policy WMI class on Hardware inventory.

Open you SCCM and go to “Administration” > “Client Settings” > “Edit Default Client Settings” and then get to “Hardware Inventory“, Click on “Set Classes”

Find all computers that get certain GPO

On set classes Click on “Add” and then “Connect” and add this:
root\rsop\computer” (You can any computer in your domain):

SCCM GPO Report

In the inventory classes search for “RSOP_GPO

SCCM GPO result query

Then, add these options:

SCCM GPO Report

Great, now SCCM will start to collect all GPO details from your clients, servers.
You can wait for next Hardware inventory cycle or run it manually

Once it’s completed (wait 20-15 minutes) go to query on SCCM and create new query:

Add new object under “General“:

SCCM GPO result query
SCCM GPO result query

select SMS_G_System_RSOP_GPO.name, SMS_R_System.Name, SMS_G_System_OPERATING_SYSTEM.Caption, SMS_R_System.LastLogonUserName from SMS_R_System inner join SMS_G_System_RSOP_GPO on SMS_G_System_RSOP_GPO.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId

Run the query and here you can see the results 🙂

The query works!:

SCCM GPO result query

Now, I want to take it one more step a head and generate a new report from this for SCCM:

Open a new report following this article:
https://www.pelegit.co.il/report-os-counts-sccm/

Just use this SQL query

select all SMS_G_System_RSOP_GPO.name00,SMS_R_System.Name0,SMS_G_System_OPERATING_SYSTEM.Caption00,SMS_R_System.User_Name0 from vSMS_R_System AS SMS_R_System INNER JOIN RSOP_GPO_DATA AS SMS_G_System_RSOP_GPO ON SMS_G_System_RSOP_GPO.MachineID = SMS_R_System.ItemKey INNER JOIN Operating_System_DATA AS SMS_G_System_OPERATING_SYSTEM ON SMS_G_System_OPERATING_SYSTEM.MachineID = SMS_R_System.ItemKey

image 18

Then, we will create new matrix:

Find who get certain GPO



image 12
Find who get certain GPO
Find who get certain GPO

Run the report and see this!:

Find who get certain GPO

And if you press on “+’ you will get all computers, Users and OS!:

Find who get certain GPO

Guys, this is amazing!!!, you can see how many computers get a GPO of user, computers and OS!

You can save this report and allow accessing it by Web to any IT member.

The second option I would recommend who hasn’t SCCM is get same result by running the following Powershell command:

$Result =@(
$Computers =  Get-ADComputer -Filter {Enabled  -eq "True" } -SearchBase "OU" | select name 

Foreach ($comp in $Computers)

{


if (test-connection  $comp.name -Count 1 -ErrorAction Ignore) {Get-WMIObject RSOP_GPO -namespace root\rsop\computer -ComputerName $comp.name  -ErrorAction Ignore| Select name, PSComputerName }



}

)


$Result  | Export-csv C:\GroupPolicy.csv

The third option is downloading the “gpoinvrntory” tool and run the tool on certain OU:
Download:

https://www.microsoft.com/en-us/download/details.aspx?id=14126

How to use it:
https://www.itprotoday.com/windows-78/monitor-gpo-deployment

That’s all guys, I do think that this information will give you control and comprehensive perspective on your environment, do not forget, using controlled infrastructures your environment will be better! in term of stability, managerial and functionality, these are some keys of efficient environment.